The problem mainly affects uTorrent Web, the newer version of the popular BitTorrent client, which contains a serious remote code execution bug.
A Google security researcher has uncovered a bug in uTorrent that can let a hacker hijack the software to deliver malware.
The problem mainly affects uTorrent Web, the newer version of the popular BitTorrent client, which contains a serious remote code execution bug, according to Google researcher Tavis Ormandy.
He discovered a flaw in the way uTorrent communicates data and stores an authentication token. A webpage loaded over a browser could be rigged to steal the token, and gain complete control over the uTorrent service. “Once you have the secret, you can just change the directory torrents are saved to, and then download any file anywhere,” he wrote in report about the bug.
It doesn’t help that by default uTorrent Web is configured to automatically run on startup. With control over the client, a webpage’s owner could direct the software to download a piece of malware. The malware can then be delivered into a Windows PC’s startup folder, which will load the program on the next boot up. All that’s needed is to trick a victim into visiting the malicious website.
On Tuesday, BitTorrent released an update to uTorrent Web that patches the problem. It’s available in build 0.12.0.502, which can be downloaded through the official uTorrent website or via the application itself.
“BitTorrent expects to have builds with fixes to all reported vulnerabilities available to customers within the next 24 hours,” VP of engineering David Rees said in an email.
Ormandy first began reporting the problems to BitTorrent in December. He also found a similar flaw in uTorrent Classic that can expose what torrents you’ve downloaded to a rigged website. Ormandy said the problem was fixed in a beta build of the software.